Puppet Class: openstack::horizon::source_deploy
- Defined in:
- modules/openstack/manifests/horizon/source_deploy.pp
Overview
Because we deploy Horizon from source, and because the OpenStack APIs are backwards-compatible, we typically deploy a newer version of Horizon than the other OpenStack services.
That means we track two different version settings here:
$horizon_version: the actual version of Horizon that's running
$openstack_version: the version used for the other openstack
services on e.g. cloudcontrol1001.
We need to know the value of $openstack_version so that we can pull the policy files that Horizon uses from the appropriate services and avoid having to duplicate them just for Horizon to consume.
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# File 'modules/openstack/manifests/horizon/source_deploy.pp', line 16
class openstack::horizon::source_deploy(
String $horizon_version,
String $openstack_version,
Stdlib::Fqdn $keystone_api_fqdn,
String $wmflabsdotorg_admin,
String $wmflabsdotorg_pass,
Stdlib::Fqdn $dhcp_domain,
String $instance_network_id,
Stdlib::Host $ldap_rw_host,
String $ldap_user_pass,
Array[String] $all_regions,
String $puppet_git_repo_name,
String $puppet_git_repo_user,
String $secret_key,
Hash $proxy_zone_dict,
Hash $proxy_zone_passwords,
Stdlib::HTTPUrl $puppet_enc_endpoint,
String $venv_dir = '/srv/deployment/horizon/venv',
Stdlib::Fqdn $webserver_hostname = 'horizon.wikimedia.org',
Boolean $maintenance_mode = false,
) {
ensure_packages([
'python-wheel',
'python-virtualenv',
'virtualenv',
'gettext',
])
$puppet_git_repo_key_path = '/home/horizon/.ssh/instance-puppet-user.priv'
file { '/etc/openstack-dashboard/local_settings.py':
content => template("openstack/${horizon_version}/horizon/local_settings.py.erb"),
mode => '0444',
owner => 'root',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/nova_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/nova/common/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/keystone_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/keystone/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/glance_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/glance/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/designate_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/designate/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/neutron_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/neutron/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/cinder_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/cinder/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
file { '/etc/openstack-dashboard/trove_policy.yaml':
source => "puppet:///modules/openstack/${openstack_version}/trove/policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
# A user and group to run this as
group { 'horizon':
ensure => present,
name => 'horizon',
system => true,
}
user { 'horizon':
gid => 'horizon',
system => true,
managehome => true,
}
# This is a trivial policy file that forbids everything. We'll use it
# for services that we don't support to prevent Horizon from
# displaying spurious panels.
file { '/etc/openstack-dashboard/disabled_policy.yaml':
source => "puppet:///modules/openstack/${horizon_version}/horizon/disabled_policy.yaml",
owner => 'root',
mode => '0444',
notify => Service['apache2'],
}
scap::target { 'horizon/deploy':
deploy_user => 'deploy-service',
service_name => 'apache2',
}
# allow deploy-service to restart apache as root.
# Also, it needs to sudo as horizon to gather and compress
# static content.
sudo::user { 'deploy-service':
privileges => [
'ALL = (root) NOPASSWD: /usr/sbin/service apache2 start',
'ALL = (root) NOPASSWD: /usr/sbin/apache2ctl graceful-stop',
'ALL = (horizon) NOPASSWD: ALL',
'ALL = (root) NOPASSWD: /bin/chown -R horizon /srv/deployment/horizon/venv/*',
'ALL = (root) NOPASSWD: /bin/chown -R deploy-service /srv/deployment/horizon/venv/*',
],
}
httpd::site { $webserver_hostname:
content => template("openstack/${horizon_version}/horizon/${webserver_hostname}.erb"),
require => File['/etc/openstack-dashboard/local_settings.py'],
}
# We need to do some work that would otherwise by handled by the horizon
# debian package
file { '/etc/openstack-dashboard':
ensure => 'directory',
owner => 'root',
}
# Prepare this directory for scap to drop some files into
file { '/etc/openstack-dashboard/default_policies':
ensure => 'directory',
owner => 'deploy-service',
require => File['/etc/openstack-dashboard'],
}
file { '/var/lib/openstack-dashboard':
ensure => 'directory',
owner => 'horizon',
group => 'horizon',
mode => '0755',
}
file { '/var/lib/openstack-dashboard/static':
ensure => 'directory',
owner => 'horizon',
mode => '0755',
require => File['/var/lib/openstack-dashboard'],
}
file { '/var/lib/openstack-dashboard/static/maintenance.html':
source => 'puppet:///modules/openstack/horizon/maintenance.html',
owner => 'horizon',
group => 'horizon',
mode => '0755',
require => File['/var/lib/openstack-dashboard/static'],
}
# Get ready to host a local git repo of instance puppet config
file { '/home/horizon/.ssh/':
ensure => 'directory',
owner => 'horizon',
mode => '0600',
}
file { $puppet_git_repo_key_path:
ensure => file,
owner => 'horizon',
group => 'horizon',
mode => '0600',
content => secret('ssh/instance-puppet-user/instance-puppet-user_privkey.pem'),
show_diff => false,
}
}
|